Solved: Can eval case match a fields value as a substring ... - Page 2

Chandras11 · ‎06-28-2018

Hi All,

index="index1" sourcetype="SC1" OR sourcetype="SC2"  | eval Ticket_Main5 = (Ticket,1,5)| eval Ticket_master = case(sourcetype="SC2" AND like(LINK_LIST, Ticket_Main5),SC2_Ticket,1=1,"NotFound")

For example Ticket= "Z1234B" and LINK_LIST is "C1234A001;Z1234A;Z1234B" and SC2_Ticket is "C1234A" . So I need to extract Ticket_Main5 first. Then check this field in another field LINK_LIST inside eval case. There are other arguments in eval case as well, which I removed here.

Or is there any other way, where I can check if a field value is a substring of other field value.

niketn · ‎06-28-2018

@Chandras11, please try the following run anywhere example based on the details provided.

| makeresults 
| eval Ticket="Z1234B", LINK_LIST="C1234A001;Z1234A;Z1234B" , sourcetype="SC2" 
| eval Ticket_Main5 = substr(Ticket,1,13) 
| eval Ticket_master = case(sourcetype="SC2" AND match(LINK_LIST, Ticket_Main5),"SC2_Ticket",true(),"NotFound")

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Can eval case match a fields value as a substring to another field?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!